OPC UA is a new standard protocol for manufacturer-independent and platform-independent communication, such as in process automation, specified by the OPC Foundation. Although the original name for OPC was Object Linking and Embedding (OLE) for Process Control, OPC has been used in the meantime without any indication of an abbreviation. UA stands for Unified Architecture.
FIG. 1a) illustrates a known arrangement for interaction between an OPC UA client 11 and an OPC UA server 13 according to the OPC UA specification using a communication system 12, such as a network. In this case, the OPC UA client 11 uses OPC UA service calls from a set of OPC UA service calls specified in the OPC UA protocol for interaction. However, an OPC UA server can also operate as an aggregating server, as illustrated in FIG. 1b). Such an aggregating OPC UA server 14 can act as a client for other, subordinate OPC UA servers 13. As such, the aggregating OPC UA server 14 can collect data provided by these other OPC UA servers 13 and can provide the data in its own address space.
The field of application for OPC UA clients and servers encompasses a wide range and their function can be implemented in different devices and systems, such as controllers, PC-based control systems, production management systems, or in production planning, for example.
However, the standard protocol OPC UA does not define any mechanisms for authenticating and authorizing users in a scenario with aggregating servers. The specification provides that aggregating servers may have a plurality of users which act as their agents and which can be used to set up sessions, which are independent of one another, in conjunction with the other servers. However, the relationship between the identity of a client user and identities in the aggregating server is not specified. This means that it is optional whether client identities match identities of the other servers or whether, instead, independent superordinate users are formed for access to aggregating servers.
In order to achieve a suitable security level in OPC UA systems, it is important to support fine-grained access control for users and to comply with the stipulated “least privileges” protection for each user accessing data. A concept with superordinate users in the aggregating server for client identities would breach the design objectives.
Mechanisms for so-called single sign-on would be desirable in OPC UA systems. Single sign-on (SSO) mechanisms allow a user to access all applications and data according to a previously defined individual permission following input authentication. The user advantageously does not need to log on again within a computer system.
Although different types of standard solutions for single sign-on are known in information technology, these SSO solutions cannot be used in OPC UA products because they are based on a central authentication server, where a user is required to log on via a web interface and the server allocates the access authorization for a predefined set of applications. Such authentication servers use http or other web protocols to identify users and allocate access authorizations for other applications. However, http or other web protocols is/are not always allowed or available in automation networks and, in addition, not every OPC UA application is a web application. Furthermore, the authentication server would have to understand the OPC UA protocol in order to authenticate a user for an OPC UA server. However, this is not the case with products currently on the market.